If you have read my other post on hardening your LAMP stack / Plesk VPS, then you will know that by default most LAMP installs are not very secure by default.

Many of the default settings leave your system vulnerable and open to exploitation. Usually it starts with the system revealing too much information to potential hackers. The first step is always to reveal the least amount of information about your setup and humanely possible. The next step is reducing your attack vectors by switching off features you do not need or use.

In this article, that is what we will be looking into, how to harden PHP through php.ini configuration file.

Locating php.ini Configuration File.

Firstly, we need to locate all our php.ini files as there can be many, from the default files (sometimes 2 [1 for the web server and 1 for the CLI though not always]) to the copies made for individual domains if you are running a VPS. Use the following to find your php.ini configuration files.

$ locate php.ini

If you don’t get anything or are missing some that you already knew of, you may want to update the locate database with this:

$ updatedb

Once we have our list, its time to start making some changes. I find it is best to ensure we only change 1 to 2 things at a time before we go ahead and restart the server to make sure we have not broken anything. This way it is much easier to know what was the cause if we have broken anything.

Editing ‘php.ini’.

You can use whatever text editor you like, i use ‘vi’ but feel free to use nano/pico or some graphical editor on the desktop if you prefer.

Prevent Information Disclosure.

Turn off error outputting in the browser that could potentially reveal sensitive aspects of your web apps code.

display_errors = off

Disable Globals.

Register globals is set to be removed from php soon, and should be off by default. However many LAMP/WAMP/MAMP stacks still ship with it turned on unfortunately (likely [hopefully] still a minority of stacks though). So don’t take the risk of leaving it on, check it is turned off.

register_globals = off

Leaving this on leaves a massive vulnerability in your setup, namely because regular variables in your code that match GET vars in the url string will start out with the value of the GET variable. This means hackers can put whatever content they like into any variable in your code that could cause an unexpected outcome that they may want to target. With register_globals on the GET vars will always overwrite the default assigned value, this is a serious vulnerability if not turned off.

Disable Remote File Includes.

Prevent a hacker who has found some part of your web app that they can use to execute a remote script from succeeding by disabling PHP from reading/executing remote scripts.

allow_url_fopen = off
allow_url_include = off

Restrict File Uploads.

You can prevent file uploads if you do not have any use for such a feature by using the following:

file_uploads = off

If on, hackers can rename a scripts file to appear as an image, then successfully upload the file and when using the url to access the file can run their script. This is very bad because now they can execute scripts they have uploaded to your server. You might want to consider applying some rules to Apache/PHP to prevent the execution of scripts in your upload directories as a safety precaution.

I would recommend setting a sensible maximum file size for uploads to say 2 megabytes max.

upload_max_filesize = 2M

You can also change your default temporary file upload directory:

upload_tmp_dir = /var/php_tmp

If you want to make sure that malicious hackers cannot abuse your upload facilities, then ensure that you prevent script execution in the directories where you are storing your uploads. This is in either your htaccess file or httpd.conf file (which is out of the bounds of what this article is about but i will give you the snippet you need never the less).

<Directory /var/www/vhosts/yourdomain.com/httpdocs/your_upload_dir/>
Options None
AllowOverride None
php_admin_flag engine off
order deny,allow
deny from all
</Directory>

Protect Sessions.

Protect your sessions from being hijacked or shared in links people post online or send to friends by enabling cookie httponly. It will also prevent Javascript from reading your cookies.

session.cookie_httponly = 1

Also add a referer check, like:

session.referer_check = codeconsortium.com

You might want to change your default session save path to somewhere hackers won’t find as easily. E.g:

session.save_path = /var/lib/php

Disable Unnecessary Functions.

PHP includes many functions they you will likely never need or use, however they could be very helpful to hackers, disabling them likely will not affect your site, but will help make the hackers job much more difficult.

disable_functions = php_uname, getmyuid, getmypid, passthru, leak, listen, diskfreespace, tmpfile, link, ignore_user_abord, shell_exec, dl, set_time_limit, exec, system, highlight_file, source, show_source, fpaththru, virtual, posix_ctermid, posix_getcwd, posix_getegid, posix_geteuid, posix_getgid, posix_getgrgid, posix_getgrnam, posix_getgroups, posix_getlogin, posix_getpgid, posix_getpgrp, posix_getpid, posix, _getppid, posix_getpwnam, posix_getpwuid, posix_getrlimit, posix_getsid, posix_getuid, posix_isatty, posix_kill, posix_mkfifo, posix_setegid, posix_seteuid, posix_setgid, posix_setpgid, posix_setsid, posix_setuid, posix_times, posix_ttyname, posix_uname, proc_open, proc_close, proc_get_status, proc_nice, proc_terminate, phpinfo

Summary

Much of the work shown above is courtesy of MadIrish, though i have shortened the descriptions down and focused more on the configuration changes than their descriptions / implications. If you want more in-depth descriptions of what we have done here, you should check out MadIrish’s website.

Other changes i made was the prevention of executing scripts in upload directories.

Though this article reproduces most of the steps of what MadIrish has achieved, this is more for my own record keeping than anything else. Though i hope it benefits others as-well, credit for most of this goes to MadIrish, good luck!